I.T. Security and Linux Administration

I didn’t intend on writing this post, in fact I had a whole idea for a post to write about but that will come tomorrow. I want to address some things. As this was a longer post than I originally intended, I’m placing a skipper (“Continued…”) part here. Continued »

Its 12:40 AM here as I’m typing this, on a Saturday night, and what better thing to do than to discuss some security? I’m all for healthy competitions (heck, I even partake in some wargames for the fun of it). But this is one that could really benefit you. Here’s the main points: the GCHQ (which is a British government organization) is using the web to recruit new people for their security team. Now, this may not sound new at all to many because hey, who hasn’t used Craigslist or Monster to get people for a position? This is different, however. They are running this website called Can You Crack It? which upon visiting it prompts you with a welcome screen to crack a code. Once you get the key code, apparently (though I can’t vouche as I haven’t cracked it myself) you’ll be presented with a true welcome screen.

This is pretty intuitive in my opinion. In fact, I’ll be documenting my progress here during the duration of this project (which ends in 7 days). Will I get it solved? Most likely not…I’m not a wiz when it comes to this kind of stuff, but why not try and have some fun with it? I’m not sure if you can have mulligans with this or not, but it does seem the code is static. I’ll be posting more about this most likely tomorrow, after I drink some more hot chocolate and try to fuse every single brain cell I have to solve this.

Dave Taylor made an interesting editorial/tutorial in the most recent edition of Linux Journal where he decides to parse the Twitter HTML data to get how many tweets and such a user has made. This got me to wondering something: is it worth it? I mean, Twitter has a pretty robust API where you can already get this information. Do they have a Bash library (which Dave’s article discusses)? No, unfortunately, although that would be pretty interesting. But, as most sysadmins use one language or another that does have an official library binding itself to Twitter, why not use that instead?

I know this sounds weird coming from me, especially since I tend to reinvent the wheel more than I should. Most of the time I do that though it is to get a better understanding as to what is happening in those libraries. Dave teaches us the use of regex, sed, grep and cURL…none of which really are beneficial to this process, and could possibly make it slower via Bash.

By now everyone should know I love Bash and its portability. However, I do also feel in these cases, especially when its giving problems that are not easy to debug, it might be best to just use pre-made solutions. Such is the case, for example, when I was trying to implement RSA into a PAM module I’m working on. I could do it myself, but I know I would not make an efficient solution, so I decided to use a pre-made solution.

My question to the readers, though, is what do you think? Is a bare-bones API (i.e.: Twitter) worth re-writing in a (lets be honest here) outdated language? Or am I just going crazy and being attacked by holiday-cheerful penguins that want me to do nothing but work on benchmarking tests?

I’ve been noticing my /var/log getting pretty full over the past week. I’ve deleted some old logs that were made from logwatch, but wanted a better (read: lazier) solution. Now, if you don’t care about the contents of the log files, then this is awesome. However, generally I wouldn’t try this on a production environment unless you know the logs won’t be needed. Here’s the one-liner I use:

for i in `find . -type f`; do echo '' &gt; $i; done

This is assuming you’re in the “/var/log/” directory (or where ever your logs are stored). A simple routine to just clear out the contents of every log. This brought my /var directory from 92% usage to 22% usage (which, as a side note, has an allocated 4.6 GB of space).

Citrix put out an interesting white paper recently detailing the reasoning behind using 2048-bit SSL keys instead of the (technically) de-facto 1024-bit keys. While the white paper is also to market and sell their own products, it does raise some interesting points…but, most importantly is there really a need to raise the bit-strength of our SSL keys?

Letting everyone who reads my blogs to know that if you can’t attend the Europe LinuxCon, they’re offering free streaming for Wed., Thurs. & Fri. seminars. While it doesn’t look to be an all-day free streaming (I could be wrong), the streams are at least highlighting some important aspects of it. Here’s the Tweet that Linux Foundation sent out not too long ago:

Can’t make it to #linuxconeurope in Prague this week? See Torvalds and others on our live video stream: http://t.co/p7FHVPVw

This seems like a pretty interesting event, especially given the release release and development of Linux 3.0.

While testing new security possibilities on my home network, I was wondering how to make TrueCrypt volumes accessible via the network, without one having to mount the container itself locally. Granted, I was doing all of this during a 2 A.M. programming-and-security binge, so I wasn’t thinking clearly, but I finally stumbled upon an old friend of mine, sshfs. Basically, what sshfs is is essentially mount for SSH. It connects to a given directory via SSH (so you can also use key authentication…with a little bit of trickery), and if the remote server already has a TrueCrypt container mounted, you can just use sshfs for that. Here’s how!

In this month’s issue of Linux Journal, they wrote about a CLI network monitoring tool called sinfo. At first it looked like a great program to explore the network a little bit, as you can use it to also monitor remote computers as well (LAN and such). As a side note, since I had a little bit of trouble figuring out how exactly to make that work, I’ll write up a short tutorial on that soon. But, back on topic, I soon realized that sinfo is not in either AUR or any “official” repos for Arch Linux, and so I took it upon myself to do so. The end result can be found here: https://aur.archlinux.org/packages.php?ID=53144.

If you use Arch Linux (the official site has a repo for Debian systems already), and you want to try out an, in all actuality very quite useful tool, give it a try.

I’ve mentioned a good couple of times here on how to set up SSH key authentication, as well as some benefits to it. But, I was always wondering how (and if) I could make it more automated. Then it hit me, there’s always ssh-keygen’s wonderful man pages! A good hour or two later, I’ve come up with two different methods of doing this. One is purely automated (minus asking for the passphrase), and the other has default answers for each prompt.

Ever wondered how you can make sure people don’t view a page they’re not supposed to (i.e.: restrict them from accessing certain files in /var/www/domain.com/topsecretdocs/files_list.php)? Well, most people come up with the idea of putting a define() in the page that calls the file in question (in this case, files_list.php), and then do a simple if(!defined(…)){ die(“HACKER”); } kind of thing, similar to what phpBB does with its files. But, there is a simplier way of handling this particular situation.

About This Blog

Tools and tips to assist you in your Linux lifestyle. While deviating sometimes to other operating systems, or off-topic discussions, the focus of this blog is to bring a new life to the Linux world, and hopefully a new insight to the happenings in the Linux and open source community as a whole.